Code Protection and Robustness

Augustin Farrugia, Apple

A talk about securing the iTunes client.

The concept of security is a trade-off from what you can accomplish
and what your cyberspace allows you to implement. In the nutshell, the
security system protects the assets and it is defined by the requirements
of a lot of players (1) the asset owner(s); (2) the geopolitics; (3) the
regulation; and (4) other relevant and irrelevant features. Any security
system cost can be quantified and the cost represents the number of lines
for the application versus these implemented for the security. Usually,
the smart card hits 55% of the application code, while 45% for the
security; the remains 5% are the code liaison. The repartition of the
resources relies on a secure hardware and it does not include any addition
features to opaque the runtime and static analysis. It is no longer the
case when the application runs on an open system where it common knowledge
that the code can be reverse engineered for static attacks.